Skip to main content

GHOST Flaw Spooks Web Servers Worldwide

Credit: Qualys

(Image credit: Qualys)

UPDATED 11 am EST Wednesday: We read one of the source documents incorrectly -- many common Linux server applications are NOT vulnerable to GHOST.

A newly disclosed flaw opens up most Linux-based Web and mail servers to attack, researchers from Redwood Shores, California-based security firm Qualys disclosed today (Jan. 27).

The flaw, dubbed "GHOST" by its discoverers, "allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials," (i.e. administrative passwords), Qualys staffer Amol Sarwate said in a company blog posting.

"As a proof of concept, we developed a full-fledged remote exploit against the Exim mail server, bypassing all existing protections (ASLR, PIE, and NX) on both 32-bit and 64-bit machines," Qualys researchers posted on the Openwall security mailing list earlier today.

MORE: 5 Worst Security Fails of 2014

GHOST is of immediate and urgent concern to any IT professional administering a Linux-based server, but users of desktop Linux should also install patches, which have already been pushed out by Red Hat and Ubuntu, among others. (Red Hat Fedora 20 and later, and Ubuntu 13.10 and later, were already immune.)

Various flavors of Linux power at least a third of the world's Web servers and mail servers, but it's likely that administrators at top Web-based companies were tipped off ahead of today's disclosure.

GHOST, designated CVE-2015-0235 per security-industry convention, is the fourth major vulnerability in open-source software found in the past 10 months. The stampede began with the discovery of the Heartbleed flaw in OpenSSL in April, then continued with the Shellshock hole in the Bash command-line shell in September, followed by the POODLE weakness in Web encryption in October.

Such technical talk may be gobbledygook to most computer users, but arcane open-source software runs the Internet and the Web that rides on top of it. Any major open-source flaw threatens not only the massive global Internet economy, but your ability to check your own Facebook page.

"To be clear, this is NOT the end of the Internet," wrote Jen Ellis of Boston information-security firm Rapid7 in an official blog posting. "It's also not another Heartbleed. But it is potentially nasty, and you should patch and reboot your affected systems immediately."

The flaw exists in older versions of the GNU C library, or glibc, a repository of open-source software written in the C and C++ coding languages. Newer versions of glibc, beginning with glibc 2.18, released in August 2013, are not affected. But many builds of Linux may still be using older versions.

In addition to Exim, server software vulnerable to GHOST includes Apache, Sendmail, Nginx, MySQL, CUPS, Samba and many others, according to a post by Qualys researchers on the Full Disclosure mailing list. CORRECTION: The applications listed on the Full Disclosure page are NOT vulnerable to GHOST.

The risk to users of massively subscribed services such as Twitter, Facebook and all of Google's online services should be low, presuming that administrators of those company's servers have already implemented or are currently implementing patches. (It's possible that last night's 40-minute Facebook outage was the result of this.)

But implementation of the patches will have to be manual, which means that millions of websites and mail servers that don't get the same degree of administrative attention will continue to be vulnerable for an extended period of time.

Qualys will not release the exact details of its exploit right away, but look forward to seeing pranksters such as Lizard Squad try to use GHOST to deface websites in the coming weeks.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

  • ammaross
    Rather than "updated" marks at the top and a bold statement, perhaps putting strikethroughs in several sensationalist statements would be in order as well, such as the opening "A newly disclosed flaw opens up most Linux-based..."

    Nothing to see here. Move along.
  • Paul Wagenseil
    Thought about that, but strikethroughs aren't part of our official style.

    By the way, we're not trying to be sensationalist. This is a real flaw that needs real patching.
  • ammaross
    Thought about that, but strikethroughs aren't part of our official style.

    By the way, we're not trying to be sensationalist. This is a real flaw that needs real patching.

    The real flaw does not affect the big name mail and web servers, and would be similar to calling out some critical flaw in the server routines of Age of Empires II if you host a multiplayer game. 1) who is using it: not many people, 2) is it serious? yes for those few people who do use it.

    I was emphasizing the article was written with the tone of "It is affecting the whole internet!" (as that was the original interpretation) whereas it is not.
  • p05esto
    Um, it's a real flaw and what you think are big name servers doesn't really matter. You don't know, what's big to you is important to another. You must be a Linux fan. If this was Windows you'd say burn MS to the ground and scatter the ashes.
  • dovah-chan
    Nice bait but the fish ain't gonna bite mate. Pretty obvious its a red herring logical fallacy.